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UNCLASSIFIED 

FEDERAL BUREAU OF INVESTIGATION 


Precedence ; ROUTINE 
To; Jacksonville 


Date; 04/24/2012 



Title; UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE 


VICTIM 


Synopsis; To open case and document meeting with LaKfi county 
Sheriff's Office (LCSO) . 


Details; On 4/23/2012 SA| 

of FBI JK met with I I at^ 


~| and SAf 


J 


Florida 32778 to d iscuss i nformation that was passed from FBI HQ 
on 4/21/2 012 to SA| I about a possible computer intrusion by 
I into the LCSO network. 


[ 


] of LCSO was interviewed on 


4/23/2012 about a potential intrusion into the LCSO network. 

I I stated that he had been contacted by an FBI Agent out of 

San Antonio (SA) an d told of a possible computer intrusion back 
in January of 2012. I I stated that he attempted multiple times 

to reach back out to FBI SA with negative results. 

I I stated that he believed that the intrusion attempt 
was un - successful and provided logs and data. Writer and SA 
I I advised I I to look again for the possible intrusion by 

checking server logs and legitimate user accounts for unusual 
activity and ga ve him an overview of criminal hacking procedures 
and techniques. I I called Writer back on 4/23/2012 after the 
meeting to report that he had found a user account that was being 
accessed for illegitimate purposes and was going to continue the 
investigation. 


UNCLASSIFIED 


S : \DRAFTSl~ KU5r~|)U2.wpd 
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UNCLASSIFIED 


Jacksonville From: Jacksonville 
288A-JK-NEW, 04/24/2012 


Writer reached out to Cyd HQ, Bucharest ALAT I I 
1. and FBI SA on 4/23/2012 to coordinate the investigation 
and collect information pertaining to the possible intrusion at 
LCSO. The following is the details of the information that was 
provided : 

FBI SA nrovided the f ollowin“ 


Table name: SO_TBL_USERACCESS 

Data : I 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 

LCSO, 


FBI ALAT Bucharest nrovided the followin' 


UNCLASSIFIED 




UNCLASSIFIED 


# 


To: Jacksonville From: Jacksonville 
Re: 288A-JK-NEW, 04/24/2012 
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u^a^Rcv;4-,:.i3, : 

File Number "2^"^ A --C5k ~ 

Field Office Acquiring Evidence *1X1^ 

Serial # of Originating Document ^ > 

Date Received Ct>^ j / 

From P A 5T E H Trot I Co ry^ ' ' 


To Be Returned D Yes 
Receipt Given □ Yes 


No 
^ No 


Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes S No 

Federal Taxpayer Information (FTI) ' 

□ Yes No 



, 

(Name of Contributor/lnicrvicwce) 


(Address) 



(City and State) 


By _ 

5a 

n 



Reference; 


(Communication Enclosing Material) 


Description: D Original notes re interview of 

lPASTt)k\'T(v^l- , C£>/^ VA>^0f?<=vt6 Co'K^T^^'r f^rJD 


^C-a<s>6»^ ^Uq^< , 


ALL INlURiiATrOKr CmTAIMED 


FO-340 (Rev. 4.11-05) 
File Number 




Field Office Acquiring Evidence 

Serial # of Originating Document 

Date Received 


From! 




C Lcso') 


(Name of Coniributor/Inicrvicwee) 


3go w 5i- 


(Address) 

To.v<^/^5, Pi 3 


(City and State) 


By 




To Be Returned Q Yes 

Receipt Given ^ Yes *0(^9 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes G^CS^ 

Federal Taxpayer Information (FTI) 

□ Yes 


Reference: 


(Communication Enclosing Material) 


Description: D Original notes re interview of 

~io Co'ny^jh' ) J Qg* 7 Acc tPff tTd f P(fY 


^J. JLAV.A. XW/VV«^AAA T AW< 


^./X/AAXAAAAAVAVAV/AA 


AA K AVA:V4i.<WA AV4A 


Your Exam service request has been entered into the system and is pending review by the JK office. A representative, from the JK office will contact you shortly regarding the 
status of your request with further information and instructions. 


hhL INillEil&riOOSr GMTMimB 




Service Request ID: 

Request Type: 

Request Date: 

Request Priority: 

Requested Completion Date: 
Investigative Request? 

UCFN: 

Case Agent/Investigator: 

Case Agent/Investigator Field Office: 'JK 
Case Agent/Investigator Supervisor: [ 
Case Title: 

Case Synopsis: 


44687 

Exam 

04/27/2012 
2 (Priority) 
05/02/2012 
Yes 

288A - JK -53354 

I 


] 


UNSUB (S); LAKE COUNTY SHERIFFS OFFICE - VICTIM 
The Lake County Sheriffs Office was intruded into bv| 


an estimated 6.2 GB of data was exfiltrated. FBI is working with ALAT | | 


Submitting Agency: 
Agency Case/File Number: 
Contact Information: 


Assign Request To: 
Evidence to be Examined: 
Request Description: 
Legal Authority: 


FBI JK 


6061 Gate Parkway 
Jacksonville > FL 32256 


JK 

1 External HDD containing backups and images of three (3) virtual servers and logs. 
Copy HDD 
To Be Determined 
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.UNITED STATES DEPARTMENT. OF JUSTICE 
FEDERAL BUrFAU OF INVESTIGATiON 

Receipt for Property' Received/Returned/Released/Seized 

f 

File # : 

■ : 

'*C llllllllllllilM 

! On (date) 


DATE 

J . . J , ' w _. 

llllllllfc 

. r, 

item(s) listed below were: 

! 

1 i ^ 


O^Receiv.ed From 
n Returned To j^c 

□ Released To 
n Seized! 

(Name) 

^ fey CoLtn “/y 



i (Street Address) 

3/^0 WeJ-t 

Huiiy Tat^^^’es . FL\ '^^77? 

(City) 


y 


1 





i 

II Descriotion of Item(s): 

/ TAyy Baok 

2T3 

! 6cte^ku/}< ai^J rr^atsJZJ a 


\ 

i 

1 ' ^ 

-j ^ p 

Uo CKfp'l- 

‘ 

j 

i 

i 

!e^ /JJa'x 


S‘ ■ 

1 

Af’f2 

CL^o TTA') 


i 

j 


U.o ) / Uo C>'kr>X - (€c> A^pii . 

1 ■ .. 

V 


7 p 

1 

1 ^ 



' 

i 

! 

^ ^ 



WCAZ A3l 


' 

f ' 

! 




1 

i 





1 

■ i 




' 

r 

1 

! ■ 


r---- ^ .., 


— j 
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1 
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FD-340 (Rev. 4-11-03) 


File Number 


Z' 


\(& 


Field Office Acquiring Evidence 

Serial # of Originating Document 
Date Received 
From 










>-‘' s /V, : V ■ 






' •- ’ Or---.- ‘ > ■ ■ 


Jutor/Intcrvicwcc) 


(Address) 



To Be Returned D Yes No 

Receipt Given □ Yes D No 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxpayer Information (FTI) 

□ Yes tel No 


CjjNo 


Reference: 


(Communication Enclosing Material) 


Description: Original notes re interview of 


^ iJA'*- rf -u 


-4 
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ULL iKnrasiiftTioisr coumiMEO 



' Serial # of Originating Document ___^_:llJ____ 

Date Received jS/ ^ 

From yf IJT (-^(7 

(Name of Conlributor/lnlcrvicwcc) 


(Address) 


(City and State) 

I By SA 

1 

j To Be Returned D Yes 13 No 

> Receipt Given D Yes ^ No 

I Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 

I Federal Rules of Criminal Procedure 

; □ Yes > j0 No . 

I Federal Taxpayer Information (FTI) 

□ Yes jp No 


Reference: 



(Communication Enclosing Material) 


1 


Description: O Original notes re interview of 

Pccss 
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HERE-IN IS XMCULSSiriED 

lillllililllll^^^^ 


PRESS RELEASE 
05/29/2012 


Prosecutors Department for Organized Crime and Terrorism - Central structure 
deconstructed a criminal group, consisting of 14 persons, so they carried out 12 house searches 
in Bucharest, Iasi, Alba lulia, Piatra Neamt, Cluj Napoca, Turnu Severin, Arad, Craiova and 
Targu Mures Resita. 

Group leader was identified as the accused BALAEASA Gabriel, 24, of Piatra Neamt, 
known in the virtual environment with nicknames "lulzcart, anonsboat, anonsweb, Cartman." 

This, together with Gabor and Picos Fabian accused Michael Emil was a group, joined by 
other people involved in the cyber terrorist attacks. 

The group conducted an extensive criminal activity specific for cybercrime, which 
consisted of illegal access to computer systems, misuse of confidential or non public and 
published in the online environment seep data. 

Databases confidential / classified subjects were given preference for public institutions 
and businesses, both in Romania and abroad. 

For technical and practical way of operating, cyber attacks launched on the target server 
and Web pages, were SQL injection, using different applications, namely Havij, SQL, etc. 

Map. In most cases, after compromise and obtain unauthorized access to targeted sites, the 
group members brought changes to computer data, executing attacks "deface", consists of 
applying a web page instead of the main site, which was to change general in certain posting 
messages, links and images that promote group claims attack and hackers. 

Attacks were launched in order to obtain computer data, appropriate data were copied / 
transferred without the right and subsequently published in the virtual environment on various 
sites as evidence of hacking activity. 

Group members did so to launch attacks on a total of 29 sites, information infrastructure 
such unauthorized penetration achieved by infringement of security measures implemented in 
the server that housed the target Web sites. 

Criminal activity led to total or partial compromise of Internet sites and areas covered, 
resulting in significant costs to recover data and implement new security measures. 

At the D.I.I.C.O.T. will be brought to hear 12 people, to which research is carried out for 
crimes without the right to access information systems in order to obtain computer data in 
violation of security measures, modification of computer data without right and unauthorized 
transfer of data a computer system provided, of art. .Article 42. 1 , 2, 3 and art. Article 44. 1 , 2 
of Law no. 161/2003. 

The investigations were carried out with the judicial police officers in DCCO. - S.C.C.I. 
and Special Operations Division. 

The action was carried out with the support of the Romanian Gendarmerie. 

Technical support and information was provided by SRI. 


Comunicat de presa - 29.05.2012 hUp://\v\vw.diicot.ro/index.php?view=ai1iclc&catid=38:mass-m... 


Comunicat de presa - 29.05.2012 

Marti. 29 Mai 2012 00:00 
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COMUNICAT DE PRESA 
29 . 05.2012 


Procurorii Directiei de Investigare a Infractiunilor de Criminalitate Organizata §i Terorism 
-Structura Centrala au destructurat o grupare infractionala, constituita din 14 persoane, sens 
m care au efectuat 12 perchezitii domiciliare m municipiile Bucure§ti, la§i, Alba lulia, Piatra 
Neamt, Cluj Napoca, Drobeta Turnu Severin, Arad, Craiova, Re§ita §i Targu Mure§. 

Liderul gruparii a fost identificat ca fiind TnvinuituI BALAEASA Gabriel, 24 de ani, din 
municipiul Piatra Neamt, cunoscut m mediul virtual cu nickname-urile „lulzcart, anonsboat, 
anonsweb, cartman”. 

Acesta, impreuna cu mvinuitii Fabian Gabor §i Pico§ Mihai Emil a constituit o grupare, la 
care au aderat §i alte persoane, implicata in derularea agresiunilor de terorism cibernetic. 

Gruparea a desfa§urat o vasta activitate infractionala specifica, de criminalitate 
informatica, ce a constat m accesarea ilegala a sistemelor informatice, sustragerea de date 
confidentiale sau nedestinate publicitatii, precum §i publicarea fn mediul on-line a datelor 
exfiltrate. 

Bazele de date confidentiale/clasificate vizate erau de predilectie administrate de institute 
§i persoane juridice publice, atat din Romania cat §i din strainatate. 

Din punct de vedere tehnic §i ai modalit^tii concrete de operare, atacurile informatice 
lansate asupra serverelor §i paginilor web tinta, erau de tip SQL Injection, prin foiosirea unor 
diferite aplicatii informatice, respectiv Havij, SQL Map etc. In majoritatea cazurilor, dupa 
compromiterea §i obtinerea accesului neautorizat la site-urile vizate, membrii gruparii 
aduceau modificari datelor informatice, executand atacuri de tip „Deface”, constand fn 
introducerea unei pagini web Tn iocui paginii principale a site-ului, modificare care consta in 
general in postarea anumitor mesaje, link-uri §i imagini prin care se revendica atacul §i se 
promova gruparea de hacked. 

Atacurile erau lansate Tn scopul obtinerii de date informatice, date care erau dupa caz 
copiate/transferate fara drept §i publicate ulterior Tn mediul virtual pe diverse site-uri, ca 
dovada a activitatii de hacking. 

Membrii gruparii au procedat astfei la lansarea de atacuri informatice asupra unui numar 
de 29 de site-uri, patrunderea neautorizata Tn respectivele infrastructuri informationale 
realizandu-se prin Tncalcarea masurilor de securitate implementate la nivelul serverelor care 
gazduiau site-urile web tinta. 

Activitatea infractionala a dus la compromiterea totala sau partiala a paginilor §i 
domeniilor de internet vizate, generand costuri semnificative Tn vederea recuperarii datelor 
§i implementarii de noi masuri de securitate . 
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http:/Av\v\v.diicot.ro/index.php?vie\v=article&catid=38:mass-m... 


La sediul D.I.I.C.O.T. vor fi aduse Tn vederea audierii 12 persoane, fata de care se 
efectueaza cercetari pentru savar§irea infractiunilor de acces fara drept la sisteme 
informatice, tn scopul obtinerii de date informatice prin Tncalcarea masuriior de securitate, 
modificare fara drept de date informatice §i transfer neautorizat de date dintr-un sistem 
informatic, prev. de art. 42 aiin. 1, 2, 3 §i art. 44 aiin. 1,2 din Legea nr. 161/2003. 

Cercetariie au fost efectuate Tmpreuna cu ofiteri de politie judiciara din cadrul D.C.C.O . - 
S.C.C.I. §i Directia Operafiuni Speciaie. 

Actiunea a fost efectuata cu sprijinui Jandarmeriei Romane. 

SuportuI tehnic §i informativ a fost asigurat de catre SRi. 
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illiililMiliMg 

1111 1 1 1111 1 1 

nftTE D9-23-2014 BY 336,jl55T41/]fSICG 


Your Exam service request has been entered into the system and is pending review by the JK office. A representative from the JK office will contact you shortly regarding the 
status of your request with further information and instructions. 


Service Request ID: 45405 

Request Type: Exam 

Request Date: 05/30/2012 

Request Priority: 2 (Priority) 

Requested Completion Date: 06/08/2012 

Investigative Request? Yes 


UCFN: 2S 8A - JK -533 54 

Case Agent/Investigator: SA I I 

Case Agent/Investigator Field Office: JK 
Case Agent/Investigator Supervisor: $SA | | 

Case Title: UNSUB (S); LA KE COUNTY SHERIFFS OFFICE - VICTIM 

Case Synopsis: On 21 April 20121 botified LEGAT Bucharest thatf 


Submitting Agency: 

JK 

Agency Case/Filc Number: 


Contact Information: 

904-2487214 

Assign Request To: 

JK 

Evidence to be Examined: 


Request Description: 

copy media and give to SA and return originals to evidence. 

Legal Authority: 

Consent 


b6 

b7C 


b7D 


CART Service Request Confirmation - lA Material (Printed on 05/30/2012) 



4.|li03) " ' H-; 


Reference: 


(Communication Enclosing Material) 


f Descriptiom D Original notes re interview ( 


M,l, IMOSliftTICM CXBfTAIMED 






(Name of Contributor/Interviewee) / 

36? Uej-f- ^«Lr+<-«T 


i <yv<krc^ , FL, 351^7 r 


I 

By I 


(Address) 


(City and State) 


To Be Returned G Yes 1^ No 

Receipt Given □ Yes ^ No 

Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 


Federal Rules of Criminal Procedure 

□ Yes 

Federal Taxpayer Information (FTI) 

□ Yes 


0 No 


G No 






llliilitiaHmfim ccmtaihko 

MU Ml i g IS TOKUtssiriED H 

|||iill|S-:2:»-2014 BY J36J55T^41:^WIIil 


* > . - , j '•-V ~ * - . - V T. '-' 


■.»-■;:•• -‘V w _ .; 

r ■'"• ' ”, ' ft- 1’, 7 ’ ' 

‘ - ^ ■■ 


FD-340(Rcv.4-il^3Ff -i-'*.': 

isiFlieiNumhif "^^ ^ '^"S'SSS ^ 




Field Office. Acquiring Evidence _ 
Serial # of Originating Document . 


Date Received 


From 


'. of Contributor/Interviewee) 


(Address) 


(City and State) 


j- To Be Returned D Yes O No 

i Receipt Given D Yes D No 

I Grand Jury Material - Disseminate Only Pursuant to Rule 6 (e) 
j Federal Rules of Criminal Procedure 

I □ Yes □ No 

I' Federal Taxpayer Information (FTI) 

] □ Yes □ No 

I 

i Tide: 


Reference: 


(Communication Enclosing Material) 


\ Description: D Original notes re interview of 





^ 4 / 25/12 

16:16:22' 


HEREIN 

uMmrwssmm M swimimmmmmwsimifmss^ 

ICMIPROl 

FD-1.92 Page 1 


Title and Character of Case: 
■LAKE COUNTY SHERIFFS OFFICE 


Date Property Acquired: Source from which Property Acquired: 

I I LCSO 

04/25/2012 360 W RUBY STREET 

TRAVORES FL 32778 • 


Anticipated Disposition: Acquired BV: 


Case Agent 


Description of Property: Date Entered 

IB 1 

WESTERN DIGITAL MY BOOK STUDIO EXTERNAL HARD DRIVE, 

SN: WCAZA3188836 (2TB, W/ POWER SUPPLY & USB CABLE) 

CONTAINING: BACKUPS Sc IMAGES OF LEO APPl, LEO CITRIX, 

APP2 (LEO TTA) , AS WELL AS LOGS FROM LEO APPL, LEOCITRIX, . 

LEOASPl, WEBSITE LOGGING 

Barcode: E4725431 Location: ECR CART ' BIN14 04/25/2012 


Case Number: 
Owning Office: 


288A-JK-53354 

JACKSONVILLE 
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FD-1004 

Revised 

^-16-2009 


M.1. IMfCXEUsaTIOK COllffTAIMED 

FEDERAL BUREAU OF 

EVIDENCE CHAIN-OF-CUSTODY 



Firearms CertiFication; 
Printed Name: 


Case ID: - OK- &3>3SH' 


Signature: 
IB: 


I 


Date: 

Barcode: 



EVIDENCE CHAIN-OF-CUSTODY 


Continuation Page 


V . Relinquished Custody ? • 

Date and 
Time - 

- v’y?H'Accepted Custody 

' ^ate andj; 

Signature: 


Signature: 


Printed Name: 

Printed Name: 

Reason: 

Reason: 

, : ; Relinquished Custody , ^ V : 

Date and • 
/Time 

■ //Acc’epted ’Custody'-' ■ 

Date add <> 

Signature: 


Signature: 


Printed Name: 

Printed Name: 

Reason: 

Reason: 

Relinquished Custody 

Date and f 
Time 

■ Accepted' Custody-;? ,, -v?', 

Date and.v 

-. . Time 

Signature: 


Signature: 


Printed Name: 

Printed Name: 

Reason: 

Reason: 

; V Relinquish W Custody ^ 

.? Date and 

• ■'.Time:'’'”';’- 

'"''.’.’'■"Accepted-Custody' ■■’■*' 

.'Date and / 
-Time 

Signature: 


Signature; 


Printed Name: 

Printed Name: 

Reason: 

Reason: 


Date and . 

;■ v?Time,,,^ : ^ 

;..o;(/;:Ac’ce’pted,Custody? '-"iv.-i-'V? 

Date and 

■ ■'•'Tini'e 

Signature: 


Signature: 


Printed Name: 

Printed Name: 

Reason: 

Reason: 

;\/'-.',;/,Relinquished Custody?; / 

; D^ate ahd ' 

;_.;Jim’e;'.; 

■/;’ ri Accepted'Custody'^'';.”??''?-^^ 

v Date and; ; 

TuriC'-.-iS;' 

Signature: 


Signature: 


Printed Name: 

Printed Name: 

Reason: 

Reason: 


Case ID: 


IB: 


Barcode: 
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UNITED STATES DEPARTMENT OF JUSTICE 
FEDERAL BUREAU OF INVESTIGATION 
Receipt for Property Received/Returned/Released/Seized 


of 


/ 


Hilo# 931 } OK- 

‘-/js.zUoi'i 




On (date) 


(Name) C j '^y 

(Street Address)_ 

(City) 


Office \ 


item(s) listed below were: 
(^/Received From 

□ Returned To 

□ Released To 
Q Seized 


b6 

b7C 


^ ^ 


Description of Item(s): 

e^nk FFJ.'yp 2T3 


6a?:^uFf< GiaJ Fi ^ 

/ ■ U " ..... 

/r/? a X 

}ec O'/r^'x 


AFFj (L^OTIA') 

kc FiS 

lo<^^ leoaFf/o) , U/) . ^eh^''^e 

-IrJjjlh 

{/ ^ rf' / ■ " / / 




Received By: 


Received From: 
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q|/04/i2 

09:03:36 


&LL iniMiiiiiiMiiliiiilllM 
HEREIN l l illitM Mil l MiM 

ICMIPROI 

FD-192 ' Page 1 


Title and Character of Case: 



LAKE COUNTY SHERIFFS OFFICE. 

HTTP PASTEHTML COM VIEW BW2M4UWHB HTML 


b6 

Date Property Acquired: Source from which 

Property Acquired: 

b7C 

1 

1 

b7D 

05/30/2012 



Anticipated Disposition: Acquired By: 

1 ^ 1 

Case Aqent: 

1 1 

b6 



b7C 


Description of Property: Date Entered 

IB 2 


1.2: SEAGATE 1TB HDD, SN:W1D07MG6 (EXCHANGE LIVE ACQUISITION 

4/30/12, SECOND ORIGINAL FORENSIC IMAGE 

2.2: SEAGATE 1TB HDD, SN:W1D06LAK (LOG SERVER_4/30/l2 , 

SECOND ORIGINAL FORENSIC IMAGE) 

3.2: SEAGATE 500GB HDD, SN:9QM9T8PD (IMAGES FROM LCSO, 

LEOCITRIX, LEOAPPl, LEOTTA APP2, SECOND ORIGINAL FORENSIC 
IMAGE) 

4.2: COMPACT DISK (CD), COPY OP LSCO-120490-4 CD REC'D FROM 
LCSO HELP DESK E-MAIL 

5.2: SEAGATE 500GB HDD, SN:W1D072K7 (IMAGES FROM (USERS + 

DEPTS BACKUP FROM 3-31-12) SECOND ORIGINAL FORENSIO IMAGE 
6.1: SEAGATE 1TB HDD, SN:5VP9S0H9 (IMAGES FROM LSCO 5/7/12, 

ORIGINAL FORENSIC IMAGE) 

Barcode: E4725693 Location: ECR CART BlAi 14- 05/30/2012 




Case Number: 
Owning Office: 


288A-JK-53354 

JACKSONVILLE 





V 
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FD-1004 

Revised 

9-16-2009 


FEDERAL BUREAU OF INVESTIGATION 

EVIDENCE CHAIN-OF-C0STODY 


Evidence Type: □ General 
□ CART 


□ Drug 

□ Valuable 


□ Firearni/Weapoii 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04 /26/2012 


On April 26, 2012 Federal Bureau of Investigation (FBI) 
Special Agent (SA) | ~| connected to the Internet and 

navigated to the following Uniform Resource Locator (URL) : 

http : //pastehtml . com/view/bw2m4uwhb . html 


The resulting web page appeared to be a tree listing of the Lake 
County Sheriff's Office (LCSO) server files. The web page, if__ 
printed, would have been 194 pages in length; therefore, SA| 
saved t he web page to a Portable Document Format file (PDF) . STT 


^ , - 

J then captured a screen print of the top of the web page. 


scrolled to the bottom of the web page and captured another screen 
print. 


b6 

b7C 


b6 

b7C 


The screen captures and .web page content pdf were copied 
to a CDR and placed in an FD-340 lA envelope and added to the lA 
section of the case file. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04 /3 0 / 2012 

On 4/27/2012 1 I of the Lake b6 

County Sheriff's Office (LCSO) at 360 West Ruby Street, Tavares, b7c 

Florida 32778 was contacted telephonically to discuss the 
invest igation into the LCSO network intrusion. Writer informed 

I that data related to the intrusion had been placed on-line at 
the Uniform Resource Locator (URL) 

http://pastehtml.com/view/bw2m4uwhb.html. The resulting web page 
appeared to be a directory tree listing of the LCSO files. The web 
page, if printed, would have been 194 pages in length and contained 
the names of directories and files that may have been exfiltrated 
from the LCSO network. It was later learned that four (4) files 
were posted to pastebin.com which were named Cyber Crime.zip, 911 
Calls. zip. Swat Team Files.zip and Full Dump With Even More files 
then above.zip. Writer do wnloade d the above referenced files which 
were over 4.7 GB of data . I I said that he would report the 
posting of the data to his command staff. 


During the night of 4/27/2012 I I contacted writer be 

again multiple times about email that was sent out to all the users b7c 
on the LCSO network from the hackers. The email informed all the 
users that received the email that t he LCSO network had been 
hacked. Writer again informed I I that it was safe to assume that 
the entire LCSO network was compromised and that proper incident 
respon se and remediation should be undertaken by an outside firm. 

I asked if Wri ter could recommend any good g roups t o which 
Writer gave I I a list of IT consulting firms. F I said that 

they had changed all the passwords that they believed were 
compromised but that obviously did not work. He stated he would 
brief his command staff again and emphasize the severity of the 
situation and the need to have an external professional team come 
in and conduct the proper incident response and mitigation. 


On 4/28/2012 I I met with f 


Security Firm locat ed at^ 

I I Writer re ached ou t to contacts in the Tampa 


~| which is a Cybe r 


Divis ion and was assured that f 
Firm. [ 


1 was a credible Cyber Security 


b6 

b7C 

b7D 
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Continuation of FD-302 of 


■ On 4/30/2012 .Page 2 


I contacted Writer and provided his cell phone number 

I and office number I I and said that they were 

taking steps to secure the LCSO network and would retain any and 
all evidence o f the intru sion to assist in the on-going 
investigation. I I believed that the intrusion was related to 

multiple other intrusions by the same group of hackers and had 
located several IP addresses that he believed went back to 
infrastructure controlled by the hackers. 


On 4/28/2012 I I informed Writer by telephone that the 

Florida Department of Law Enforcement (FDLE) had contacted him 
because of some information they had rec eived about the intrusion 
into the LCSO network. Writer spoke with | I of FDLE and 

I I for FDLE and 

coordinated the LE efforts. 


On 4/28/2012 I I with the LCSO 

reached out telephonically to Writer about a possible press report 
that would be coming from a news team out of the Orlando area. The 

news team received a tip and was asking LCSO for a 

statement/interview. Writer contacted and brief ed | 
of FBI Jacksonville on the situation. I I contacted I I 

and asked him to limit his comments if possible and would not 
object to mentioning the FBI if he and/or the Sheriff thought it 
would help. I I of the Office of Public Affairs, National 

Press Office, FBI HQ was briefed on the situation and advised all 
to use the statement "We ' re aware of this report but cannot comment 
further . " 


FBI HQ Cyber Criminal PM SSA I I who has 

been working with Jacksonville on this intrusion was updated and 
advised of the current situation and continues to coordinate with 
FBI Jacksonville. 

Writer identified the following online reports about the 

intrusion: 

news . softpedia.com/news/AntiSec-Hackers-Leak-40-GB-of-Data-from- 
Lake-County-Sheriff-s -Office- 266784 . shtml 

paintsthefuture.com/lake-county-sheriffs-office-hacked-by-antisec- 

and-leaked-4-7-gb-of-stolen-data/ 


b6 

b7C 
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b7C 
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Continuation of FD-302 of 


, On 4/30/2012 , Page 


jimmy89vl .blogspot . com/2012/ 04/lake-county-florida-sheriffs- 
office.html 

gnsec . com/modules/d3pipes/index.php?page=clipping&clipping_it71380 


On 4/30/2012 I I stated via telephone that they had be 

collected images of drives and other evidence of the intrusion and b7c 

believed that it involved three 3 people, 1 in the US, 1 in Moscow 
and 1 in the Ukraine. 


on 4/30/2012 I I was contacted telephonically and be 

stated that the LCSO was in lock down mode with the email server b7c 

and website down as well as other services and that they were b7D 

working with ] | to review all systems and bring them up one at 


data related to the intrusion and copies will be made and provided 
to the FBI to support the ongoing investigation. News channel 9 
reported the LCSO intrusion. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 04 / 25 / 2012 

On 4/ 23/2012 SaI land SA I I of 

FBI JK met with I I of the Lake County- 

Sheriff's Office (LCSO) at 360 West Ruby Street, Tavares, Florida 
32778 to discuss information that was passed from FBI HQ on 
4/21/2012 to SA I I about a possible computer intrusion by 

I \ into the LCSO network. 

I I was interviewed about a potential intrusion into 
the LCSO network. I I stated that he had been contacted by an FBI 
Agent out of San Antonio (SA) and told of a possible computer 
intrusion into the LCSO back in January 2012. I I stated that he 
checked his systems and found no evidence of the intrusion and 
attempted multiple times to reach back out to the FBI SA with 
negative results. 

I I was asked about any new intrusions into the LCSO 
network and stated that there were un- successful attempts and 
provide d logs and dat a to back up his conclusions. Writer and SA 
I I advised | | to look again for the possible intrusion by 

checicing server logs and legitimate user accounts for unusual 
activity and ga ve him an overview of criminal hacking procedures 
and techniques. I I called Writer back on 4/23/2012 after the 

meeting to report that he had found a user account that was being 
accessed for illegitimate purposes and was going to continue the 
investigation. I I was given part of a database table that FBI 

San Antonio had provided to Jacksonville when Jacksonville had 
reached out and inquired about the January 2012 contact with LCSO 
after leaving the LCSO meeting. 

On 4/25/2012 Writer met with | | and other staff from 

the LCSO. LCSO was again informed that the FBI had an open ongoing 
investigation into the intrusion and was working with international 
partners. I I provided one (1) hard disk drive (HDD) that 

contained images of 3 virtual servers, logs and data related to the 
intrusion. | | was given a property receipt (FD-597) for the HDD 

and signed a consent to search computers form. The HDD was placed 
into evidence and a CART request was completed requesting the 
imaging of the drive. HQ was contacted and forwarded a case support 
request form for assistance in reviewing the HDD and data provided 
by LCSO. 
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To: Jacksonville 


From: Jacksonville 
11 

Contact: SA 


Approved By: 



S/ 1 / K 


Drafted By: 


Case ID #: 288A- JK-53354 (Pending) 

Title: UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - VICTIM 
Synopsis: To update case. 


Details : 


On 21 April 20121 


notified LEGAT Bucharest that 



(U //F0U0 ) FBI Jacksonville immediately notified LCSO of 
the suspected intrusion. On 23 April 2012 Jacksonville met with 
LCSO and provided them an overview of criminal hacking 
techniques. Shortly thereafter, LCSO identified an unauthorized 
user account being accessed for illegitimate purposes. LCSO was 
instructed to begin remediating the problem and capturing 
forensic evidence. 

(U/ ' Y T0U04 - LCSO was unsuccessful in fully eradicating the 
malicious actors, and on 27 April 2012 the LCSO mail server was 
compromised and used to distribute a mass e-mail message alerting 
all system users to the intrusion activity. One of the 
recipients of the message was the Florida Department of Law 
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kl2in>212.wpd 




UNClASSIFIED//lS:^=QFFieK5±r^SE=QJII2 


To: Jacksonville From: Jacksonville 

Re: 288A-JK-53354, 04/’30/2012 


Enforcement (FDLE) , the state's central law enforcement agency. 
Later the same day, Twitter user "EvilSecurity" tweeted links to 
approximately 4.7 GB of LCSO's data, as well as a username and 
password to an account on LCSO's mail server. 

On 28 April 2012 the Romanian- owned website 
Softpedia reported the theft of 40 GB of data from LCSO. The 
breach was attributed to Operation AntiSec, a series of hacks 
performed by members of Anonymous and Lul zSec. Ac cording to 
Softpedia, one of the hackers, presumably I ~| , claimed 35 GB 

of the stolen data consisted of law enforcement software 
applications. The remaining 5 GB, which was posted online, 
consisted of "everything stored in the office's internal network 
that could be considered of value," including cyber crime 
information, audio recordings of 911 calls, photographs and 
personal details of SWAT operators, subpoena records, and FBI 
Intelligence Bulletins. 


Investigative Action Plan: Jacksonville is currently 

coordinating this investigation with LCSO, FDLE, FBI Phoenix, 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05 /Ol/ 2012 

Lt. I I . Lake county Sheriff's Office (LCSO) , be 

Florida was interviewed by the Federal Bureau of Investigation b7c 

(FBI) regarding a recent computer intrusion into LCSO. After being 
advised of the identity of the interviewing Agent and the nature of 
the interview, I [ provided the following- information: 

I I contacted FBI Special Agent (SA) I ~l and be 

advised that she had gone through the files that they believe were b7c 

compromised and identified a file named FBI UPDATE TARGETING OF 
PRISONERS FOR IDENTI TY THEFT.pdf from 2010 and that it was 
unclassified. I I is not aware of any classified information at 
the LCSO. 

According to a conversation I I had with Lt . I I be 

~| who coordinates the LCSO S.W.A.T team, there were no FBI b7c 

agent's personal information obtained. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/ 01/2012 
[ Lake 

County Sheriff's Office (LCSO) , Florida was interviewed by the 
Federal Bureau of Investigation (FBI) regarding a recent computer 
intrusion into LCSO. After being advised of the ide ntity of the 
interviewing Agent and the nature of the interview, I I provided 
the following information: 

I I contacted FBI Special Agent (SA) F I 


After receiving the e mail, s everal LCSO members contacted I I to 
report the incident. | ~| stated) |_ 
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Title: (U) 
Synopsis; 


Anonymous Romania 
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regarding the 

Anonymous Komania nack into tne Lake county Sheri:f£*s Office. 
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(U) Legat Bucharest's coordination with the FBI's Cyber 
Initiative and Resource Fusion Unit (CIRFU) previously identified 


bl 
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Cyber From: Bucharest 
(U) 163K-BO-893, 5/02/2012 


(U) On 4/21/2012, ALAT | | c ontacted LCSO and 

notified the database administrator there, | I e-mail 

I regarding the possibility of an intrusion. 

I acknowledged the notification and began conducting research 
to verify the intrusion. 







A sample of the information posted by^ 


bi 




To: Cyber From: Bucharest 
Re: (U) 163K-BO-893, 5/02/2012 



(U) The information resulted in coordination with CyD 
and JK Division, resulting in the initiation of case 288A-JK- 
53354 . 
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Set Lead 1: (Info) 
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(U) For information. 
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Anonymous Romania hack into the Lake County Sheriff's Office. 
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(U) ALAT I I provided the link to pastehtml.com to 


Jacksonville Cyber on 04/26/2012. 
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LEAD(s) : 

Set Lead 1: (Info) 

CYBER 

AT CCU-1. DC 
Read and clear. 

Set Lead 2: (Info) 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 

Set Lead 3: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read and clear. 
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LEAD(s) : 

Set Lead 1: (Action) 

CYBER 


AT CIRFU. DC 
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positive results with Buch arest and Jacksonville for 
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Read and clear. 

Set Lead 4: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read, and clear. 


♦♦ 


UNCLASSIFIED 


3 



ALL IMfORmf lOM CorTAIMlD 
mmiE IS uwcLissmEE sxzept^ 
MHEEE, BmXM OfHElMISE 

^Rev.05.'^!-20^8) \ 


CLASSIFIED BY JSOSST41/MSIC5G 
m: 1.4 IBX.D) 
ii;iliilill||:|il|lil 0 9 “-2 □ 3 S' 


^gHEJuSi 

^DECL 


(:!gNFmKN'l i liy:i//l ]' C.I ROU/REL I'U Ub'A, ESQ 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 


Date: 05/10/2012 

To : Cyber 

Attn: 

CCUl. SAI 

1 



CCU2, ssaI 




SSA 

1 

Jacksonville 

Attn : 

SA 1 




SA [ 1 


International Operations 

Attn : 

Eurasia Unit, SSAl 1 


From: Bucharest 


Contact : ALAT | 




Approved By: 


Ural: ted By: | 



Case ID #: 163L-BO-893 (Pending)'^ 

288A-JK-53354 ( Pending) 


Title: ANONYMOUS ROMANIA 


.11'^ 

SvnoDsi s : ( /TRSJUL 1 




] regarding memoers ot 


Anonymous Romania, reported hacks, and future targets. 


Derived From^2>^H5X 
Declassify^n: 203 


tiple Sources 






To: Cyber From: Bucharest 

Re: 163L-BO-893, 05/10/2012 





??r . )NKl ]Th!M T li U^//L L l ROU/REL 'i'U Ufa'Af -^Cgi 


To: 

Re: 


Cyber From: Bucharest 
163L-BO-893, 05/10/2012 





CONE 




CSL//FGI IlOU/rgJL TO Ub'A, pm 



To: Cyber From: Bucharest 
Re: 163L-BO-893, 05/10/2012 


LEAD(s) : 

Set Lead 1: (Info) 

CYBER 

AT CCU-1. DC 
Read and clear. 

Set Lead 2: (Info) 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 

Set Lead 3: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read and clear. 


♦♦ 




a.//FGI ROU/REL TO USA, RCT I 


4 


ov. 8-30-2010) 

Squad supervisor approval 
(please initial) 


Accomplishment Involves: I 
(check ail that apply) | 

Drugs Q 

A rugliivo D 

Bankruptcy Fraud □ 

Computer Fraud/Abuse @ 
Corruption of Public Official Dj 
Money LaurvJering D 

I Sub Invest Asst by FO(s) □ ! 

Asst.FO(s) 

A. B. C. "dT 

I Task Force I 


■illllllM 

Accomplishment Report 

(Accomplishment must be reported and loaded into 
ISRAA wjthio 30 days from date of accomplishment) 


Date Prepared , 

Date Loaded /S ff^ 
Date Loader’s Initials L-_J 


File Number 



investigativo Assistance or Technique Used 

1 . Used, but did not help 3. Helped, substantially 

2, Helped, minimally 4. Absolutely essential 

For Sub, Invest. Assist, by other FO(s) indicate A. 0, C, 0 for corresponding FO 


RA 

Squad 


/I 


Assisting Agents Soc. Sec. No. ^ 

T - r 


Assisting Agencies x • — 1 

1, h 

2. Name: 

A. Complaint / Information/ Indictment 

rT^edoral FH International 

Complaint Date: 

Check if Civil Rico Complaint □ 

Information Date: 

Indictment Dale: 

B. Locate/ Arrest 

Q Federal QLocal International 

Subject Priority; 

Locate Date: 

Arrest Date; . 

Q Subject Resisted Arrest 
[] Subject Arrested was Armed 

C. Summons Date: 

Q Federal Q Local 

0. Recovery / Restitution / PELP X 
Q Federal Q Local Qlf^lcroaiional 

Recovery Date: 

Code • ^ Amount $ 

Code • _ / Amount $ --- 

Restitution Dale: 

Q Court Ordered QPrelrlal Diversion 

Code • / Anwunt $ 

PELP Date; 

Code* y Anx)uni 

E. Hostagos(s) Released Datoi 
Released by: | | Torrofistf*]| Other 
Number of Hostages: .. 


Rato FQ tAT j 


Ra Analyst 


Aircraft Asst. 


^ Computof 
ConsenMoa 
ElSUR/nSC 
EISUR/T.m 
Eng. FieW Spt. 
Eng. Tape Ex. 
XogalsAsst. 
Evkf. Pur chaso 

Tiycwtnfo 

Lab OKr^Exam 


F. Conviction 

□ Federal Q Local n International 

Conviction Date: 

Subject Description Code • ( ) 

r or 6F. G, H-Includc Agency Code 
n Felony or fl Misdemeanor 

□ P/ca or □Trial 

State: Judicial District; 

G. U.S. Code Violation 
Required for sections A, 8, F and J 
(Federal Only) 

Tnie Section ff Coui 


tAT 


tab. Fj^ Sup 


Pen Registers 


f^oto Cover 
Potygrapti 
Search Worranl 
Show Money 
SOGAsst 
Swat Team 
Tcct^.A9/Eq<^"p. 
Phone Ttfl Rec 
UCO-GfOupl 
UCO-GroupIl 





CAVC/Vf 


rInVNS Intel A,^ . 
:nsi$ Ncq,- Fee 
^feisWeg- local 
IRTAsst. 
lutte-OSC 
i.av-0$C 
^oc-SC 
'ech Ro$p Orut 
•or, Lang Asst. 
Jon F6I Lab E> 


Rato FO tAT 

Vict-Witn Coot 
IQ Wanted Flyer 

,SARs 

CART 

Asset fort Prog 

fort Support Prci 

TFOSA^TO 

CXS/CTO 

in/raGard/CyO 

OFC/CIO 

PPR 

Fusion Centers 


H. Sentence Datn; 

Sentence Typo: * 

In Jail? Years Months 

Suspended: Years Months 

Probation: Years Months 

Finos: $ - 

I. Disruption/DIsmantlomont; / 

Disruption Date; 

Dismantlement Date; 

Compfetlon of FO-5l5a Side 2 Mandatory 


J. Civil Rico Matters Date; 

Also complete •Section G“ 

Other Civil Matters Date; - 

Judgment -* 

Judicial Outcome *x 

Amount $ — - - 

Suspension; Years Months 

K. Admlnlslfativc Sanction 

Subject Description Codo • 

Type: Length; 

S Suspension | [ Permanent 
Debarment or 

□ Injunction Vnar Months 

L. Asset Seizure Date: 

Asset Forfolluro natn? 

CATS # Mandatory 

Circle below one of the three asset forfeiture: 
Admin, Civil Judicial, or Criminal 
Do not Indicate $ value In Section 0 

M. Acquittal/ Dismissal/ Pretrial Diversion 
(Circle one) Date; 

N. Drug Seizures ^ Date; 

Drug Code \ 

Weight - Codo * 

FO)N 

Do not indicate $ in Section O 

O. Child Victim Information 
Child located / identified Date; 


I [Living 


P. Subject Information • Required for all blocks excluding block O (Rocovery/PELP), blocks E, I, L and N 


1 Name 

Race* 

Sex 

Date of Birth 

Social Security No. (if available) 




M ^ 




for fc^<3<a<iw>is/Cortvlc«ioAs ©rtl/' 

PI rWawd *0 Vk tCN. Aswn> Ofgawz<id Cruw# (A0C>. OTJ»>ze<J Cri^vi <(CCX C»ribt> 0 »A. or MjortArt OiTrt* Croup • 

Cori^Vi^d FD-5!5a. S<* ( 8iOCkl A*£ r-*1 n\ *c>cwofyu«* 

□ Subj«* rowed to MX OC<t>ru 9 or8*riia6o<v » VCMO Pro{)r*m Cartg Sirato^y torjoi q^ouP. or a VC WO Prc^unx tM>ore» Prer ty Urgal » 


CorrNp»»tor<>5lSa.$KtoiPtoa>A-Co<vy- 


Serial No. of FO-615 


X Additional information may be added by attaching another form or a plain sheet of paper for additional entries. 

♦ See codes on reverse side. US 

/ Requires that an explanation be attached and loaded Into ISRAA for recovery over $1 m and PELP over $5 n%, disruption, dismantlement, and drug seizures,. 










For Further Instructions See: MAOF, Part II, Sections 3-5 thru 3-5.3. 
Uevised 12-19-2006 


rROFKKlV C'()»)hl^ 

01 

02 StCK^J, Bonds ot Negot InstnurKnis 

03 Gcncol Kctil Merchandise 

0» VdiWcs 

05 I Icavy Machinery & nqxflpmcni 

06 Atfcraft 

07 Jewelry 

08 Vessels ^ 

09 An, Ar*K^lCS or Rare CoUcclions 

1 1 Real Property 

20 Another 

hKNTijjChrrvph^s 

CR CajMlal Punt$h»Mrt( 

JS J«1 Sentence 
LP Ijfe Parole 
tS iJfeScrtcncc 

NS No Sentence (Su^cd ts * Fus>6vr. 

Insane, has dkd, is a Cofporatton or 
must pay fine only) 

PB Prohaiioo 

S J Suspension of Jaj 1 Sentenoe 

ye Youth Correction Act 

PKLPCODRS 

22 Countcifcii ^ 

StocVVBonds/Cunvncy/ 

Nc3^)dd>le Instrunenu 

23 COunicffnt/Piratcd Sound 

Recordings or Motion Pictures 

24 BanJtThcft Scheme Aborted 

25 Ranson\ Cxtoftwn or Bribe 

t>cJT«^ Aborted 

26 Theft I'rom or Fraud Against 

GovcnwKiH Sdicme Aborted 

27 ComnKTcial or Industrial 

'fbeft Schensc Aborted 
30 Another 

RACKCODFS 

A A siaiVl'ad fie Islander 

B BlacV 

1 Indtan/Atnetican 

U Unknown 

W White 

X Nonindividual 


ACFJs-CYCODFiS 

AFOSl A if Force Oftke o f Specif Investigations 

ACIS Anny CiwmJ In vcsilgadvc Service 

BATH Bureau of Alcohol, Tobacco & Firearms 

BIA Bureau of Indian Affairs 

CBP Customs and Border Protccu'oo 

DCAA Ikfensc Contract A ud»t Agency 

DClS Ikfensc Ciinunal.lnvcstigatlve Service 

DliA Ditiq; enforcement AdrninistratJOn 

IXX2 OepartnscntofCorroctions 

DOI Dept of Interior 

DUS Dept of Homeland Security 

IIPA environmental Protection Agency 

FAA Federal Aviation Administration 

FDA F’ood aivl Drug Admirustraiton 

HHS Dcpt<df Health & Human Services 

HUD D<i)t of Housing & Urban DcveloptnenI 

ICB Immigration and Customs Enforcement 

IRS Internal Revenue Service 

NASA Natl Aeronautics & Space Admin 

NBIS Nafl NA RC Border Interdiction 

NCIS Naval Criminal Investigative Service 

RCMP Royal Canadian Mounted Police 

SBA Small Business AtSnmlstralion 

usee U S. Coast Guard 

USDS U.S. Di^artnient of State 

USMS Uiv Marshals Service 

USPS US, Postal Service 

USSS US.Surrcc Service 

US1R UJS,Dca$xay 

LOC local 

CflY City 

COUN County 

ST Sutc 

OTHR Other 

JUDGMFKrCODFiS 

CJ Consent Judgment 
CO Court Ordered Settlement 
DF Default Judgment 
DI Dismissal 

JN Judgitient Notwithstanding 
MV Mixed Verdict 
SJ Sunmaiy Judgment 
VD Verdict for Defcndjnt 
VP Verdict for PlaintltT 


JtlDKTALOiriCOMK 

AC Agreement 
BR BaiTcdKcmovcd 
CC CivilContonpc 
DC Disciplinaiy Charges 
FI Fine 

PI lYeliminary Injonctwn 
PR Tcmporaiy Restraining Order 
PS Pfe^filingSctUcmcnt 
RN Restitution 
SP Suspensioo 
VR Voluntary Rcsignarlon 
OT OUier 

simjKcrpRiORrrv 

A Subject wanted fot crimes of violence, 

(I c, rnurder, nunslaugltfcr, forciWe r^) 
against another individual or convicted of 
such a crime in the past five years; 

B Subject wanted for crimes involving loss 
Of dcsliuctlon of propciiy valued in excess 
of S25.000 or convicted of^such a crime 
in the past five years. 

C All other subjects, 

DRllGCOOFiS 

COC Couinc 
HER Heroin 
HSH llaslush 
KAt Khat 
LSD l,SD 
MAR Maiijuana 

MDM Mcthylencdioxymcthampbciamine 


MEP 

MctJiamphcuminc 

MOR 

Motphinc 

OPM 

Opium 

OfD 

Other drugs 

DRUGWKIGIirCODFiS 

CM 

Gram($) 

KG 

Kilogfam(s) 

L 

UtCT(s) 

ML 

MillihtertO 

P 

Ptant(s) 

DU 

Dosage Unit<$) 


ORGANiy.KOCRIMR 

NtJBJLCiy 


IF Boss 

JO Underboss 

ill Cbrsigllcro 

IJ Acting Boss 

IK Capodccina 

IL Soldier 

KNOWN CRtMlNAl.S 

2 A Top Tci or 10, Fugi live 

2B TopThief 

2C Top Con Man 

FXIRFIGN NA'I IONAI2; 

3A Ixgal Alien 

3B Illegal Alien 

3C Foreign Official W/out 

DIpJoinaiic Immunity 
3D U.RFjnployccW/out 

Diplomatic Immunity 
3lj Foreign Student 

3F All Others 

•IFRRORIXTS 

4 A Known Member of a 

Tcrroiist Orgamaaaon 
4B Possible Terronst Member 

or Sympathiacf 


SUIUF:CT DFISCUIPTION coi)f:s 

UNION MRMBKRS 


ContinuatlefiofCOVKRNMKNrSUBJKCl^ 


5D President 

5B Vice-President 

5F Trcasujcr 

5G Scactaryffreasurtt 

5H Executive Board Member 

51 Business Agent 

5) R^Mvsentativc 

5K Ofganiaer 

5L Business Manager 

5M Financial Sccrctaty 

5N Rccoftfing Secretary 

5P Office Manager 

50 Clerk 

5R Shop Steward 

5$ Member 

5T Trtstcc 

5U Ollier 

GQVFUNMFiNTSUBJKCrS 
(6F, 6G, 611- Inelude Agency Code) 

6A Presidential Appointee 

6B U.S. Senatot/Suff 

6C U.S Rcprcscf«aiive/Surr 

61> FexleraUudgo^fagtscratc 

6E Federal Prosecutor 

6F Federal Law Cnfoi cement Officer 

6G Federal Employee - CS 1 3 i Above 

611 Federal Dnployce - CS 12 & Below 

6J Covenw 

6K U. Govertvjc 

6!« State Legislator 

6M State Judge/Magistraic 


6N 

State Prosecutor 

6P 

State l.aw Enforcaneiit Ofliccr 

CO 

State -All Others 

6K 

Mayor 

6S 

Local Ijcgislator ^ 

6T 

Ixical Judge/Magistrate 

6U 

Local lYosccutor 

6V 

Ijocal Ijw IViforccment Offieer 

6W 

Loeal-AU Others ^ 

6X 

County Conui^ioncr 

6Y 

CityCouncilmait 

BANK FiMPLOVKKS 

7A 

Bank Officer 

7B 

Bank Employee 

ornFR,s 

8A 

All OiIkt Subjects 

8B 

Company or Corporation 

CIIII.D PREDATORS 

9A 

Child Care provider 

9B 

Ckrgy 

9C 

Athletic Coach 

9D 

Tcacher/Aidc 

9H 

Law Enforeemoxt Personnel 

9F 

Counselor 

9G 

Rdaiivc 

911 

Stranger 

91 

Other 


X 


-2- 




Page 


. 05/31/12 15:52:06 


05/31/2012 


***********»lr***i*r* arrest **************** 
SENSITIVE / UNCLASSIFIED 


Case Number: 288A-JK-53354 
Serial No.: 15 


Stat Agent Name: 
Stat Agent SOC.: 


Report Date: 05/31/2012 
AccomDate.: 05/29/2012 


Does Accomplishment Involve 


Assisting Joint Agencies 


Assisting Agents SOC 


Subject Name 


Drugs ; N | | || | | 

A Fugitive : N | | 

Bankruptcy Fraud : N | | 

Computer Fraud/Abuse : Y | | RA Squad Task Force 

Corruption of Public Officials: N | | 

Money Laundering : N | HQ 11 


Sub. Invest. Asst by Other FOs: 


Investigative Assistance or Technique Used 


FI NAN ANALYST 


LAB FIELD SUP 


UCO - NAT back 


VICT-WITN COOR 

AIRCRAFT ASST 


PEN REGISTERS 


NCAVC/VI-CAP 


10 WANTED FLYR 

COMPUTER ASST 


PHOTO COVERGE 


CRIM/NS INTEL 


SARS 

CONSEN MONITR 


POLYGRAPH 


CRIS NEG-FED 


CART 

ELSUR/FISC 


SRCH WAR EXEC 


CRIS NEG-LOC 


ASSET FORF PRO 

ELSUR/III 


SHOW MONEY 


ERT ASST 


FORF SUPPORT P 

ENG FIELD SUP 


SOG ASST 


BUTTE OSC 


TFOS/CTD 

ENG TAPE EXAM 


SWAT TEAM 


SAV OSC 


CXS/CTD 

LEGATS ASST. 


TECH AG/EQUIP 


POC SC 


INFRAGARD/CYD 

EVIDNCE PURCH 


TEL TOLL RECS 


FT. MON-NRCSC 


OFC/CID 

INFORMANT/CW 


UCO-GROUP I 


FOR LANG ASST 


PPP 

LAB DIV EXAMS 


UCO-GROUP II 


NON FBI LAB EX 


FUSION CENTERS 

t is for Federal, 

Local, or International (F/L/I).. : 

I 


Arrest Subject Priority <A/B/C). 

Did Subject Resist (Y/N) 

Was Subject Armed <Y/N) 


1 = Used, but did not help 

2 = Helped, Minimally 

3 = Helped, Substantially 

4 = Absolutely Essential 


b6 

b7C 


b6 

b7C 


b7E 


United States Code Violation 


Title Section Count 


Accomplishment Narrative 



hhh immmmTim ixiffiiiiiin 

HlllilllH 

illllllH 




File No. 163L-BO-893; 288A-JK-53354 


Embassy of the United States of America 

Office of Legal Attache 
Bucharest, Romania 

1 June 2012 


RE: Anonymous Romania 



b7D 


b7D 


b6 

b7C 


By: SA l 

Assistant Legal Attache 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it and 
its contents are not to be distributed outside your agency. 



(Rev, 05-01-2008) 


M.L IWFOBWITIQN COKriJlINin 


FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To: Jacksonville 

From: Jacksonville 

11 

Contact ; SA 


Date: 05/29/2012 



Approved By : | 

Drafted By: D .n 

Case ID #: 288A- JK-53354 (Pending) ' 

Title: UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - VICTIM 

Synopsis: To update case on arrest of multiple individuals 

related to the above referenced investigation. 


Details: (U/ 


-On 5/29/2012 ALAT 


advised that 



(U//FOUei)^ALAT I ~l provided a link to the official 

press release which was printed out and placed in a lA and sent 
to the file. 

(U//F©UCXLJljCSO was contacted and 'advised of the arrest 
and stated that they will contin ue to coordinate with the FBI on 
any press releases they provide. I I 


UNCLASSIFIED//ruU UiilL'lAL U,'.L 


, 15(0)312. wpd 


b6 

b7C 





UNCIiASSIFIED//riJlL UiilL'liliJ ULL 



To: Jacksonville From: Jacksonville 
Re: 288A-JK-53354, 05/29/2012 


I LC SO 

has also provided I I 
copies of data from the intrusion which were shipped to FBI 
Jacksonville on 5/25/2012. 


♦♦ 


UNCLASSIFIED//ruU UiilUlilL UtL UiJLZ 

2 

f' 


b7D 


(Rev. 05-01-2008) 



|||:||||:||§|||^|||§|^ 

I■llll■■lllllll4 By 336J55T41/NSICG 




UNCIASSIFIED//ruil. 01 1 HJIAL U^L UIIlT 


FEDERAL BUREAU OF INVESTIGATION 


Precedence; ROUTINE Date; 05/30/2012 

To; Jacksonville 
From; Jacksonville 


11 


Contact; SA I I 




Approved By; 


Drafted By; 


Case ID #; 288A-JK-53354 (Pending) 




Title; UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - VICTIM 


Synopsis; To document receipt of evidence. 


Details; (U/T^'OUOh- O n 5/30/2012 W riter received two (2) 
shipments of evidence | 
investigation. The two 


] relating to the above 

(2) shipments contained the following 
which were placed in evidence on 5/30/2012: 



b6 

b7C 


b7D 


b7D 


UNCLASSIFIED//ruk Ui i iClAL UbL 


]lS^~~|on2.wpd 


b6 

b7C 




FD.542 (Rev. 03-23-2009) 


IIIIIIIIIH^^^ 


UNCLASSIFIED//IulL Oi'i'lUlAL UDlii O^li^ 

FEDERAL BUREAU OF INVESTIGATION 


Precedence : ROUTINE 

To; Jacksonville 

From; Jacksonville 
11 

Contact ; SA Q 


Date; 05/31/2012 


Approved By; Q 
Drafted By; Q 


b6 

b7C 


Case ID #; 288A- JK-53354 (Pending) 




Title; UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - VICTIM 

Synopsis; ( U//POUO) To update case and claim statistical 
accomplishments . 

Details; ( U//PO UO )- Writer has worked with the Lake County 
Sheriff's Office H 



b6 

b7C 

b7D 


file. 


] and a copy placed in a lA and sent to the 


UNCLASSIFIED/ZrOR Ui I K.'I All IIM lt|l;([J■XTS^[ 


]vl5:Qo212.wpd 


b6 

b7C 



To: 
Re : 




UNCimSSIFIED// rDl L Oil’l CIAL UPE 

Jacksonville From: Jacksonville 
288A-JK-53354, 5/31/2012 




Accomplishment Information: 

Number : 1 

Type: CIP CASE 

ITU: CIP 

Claimed By: 

SSN: I ~l 

Name : I I 

Squad: 11 

Number : 1 1 

Type : CIP I 

ITU: CIP 

Claimed By: 

SSN: I 
Name: I 
Squad: 11 

Number : 1 

Type: CIP SUBJECT IDENTIFIED 

ITU: CIP 

Claimed By: 

SSN: I 1 

Name: I ~l 

Squad: 11 

Number : 1 

Type: CIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 

ITU: CIP 

Claimed By: 

SSN: I ~l 

Name: I 1 

Squad: 11 

Number: 1 

Type: CIP VICTIM CONTACTED/ INTERVIEWED 

ITU: CIP 

Claimed By: 

SSN: I ~l 

Name: \ \ 

Squad: 11 

Number : 1 

Type; CIP case] 

ITU: CIP 

Claimed By; 


ARREST/ SEARCH WARRANT CONDUCTED 


b7E 


b6 

b7C 


b7E 


b6 

b7C 


b6 

b7C 


b6 

b7C 


b6 

b7C 


b7E 


UNCLASSIFIED/Zrcir. UiijiliJlAij ULL OlILT 


2 






SSIFIED/yfEOETOFi^S^ 



To: Jacksonville From: Jacksonville 

Re: 288A-JK-53354, 5/31/2012 


SSN: 

1 1 

b6 

Name : 

1 

b7C 

Squad : 

11 


Number : 1 



Type : CIP[ 

IaRREST/ SEARCH WARRANT CONDUCTED 

b7E 

ITU: CIP 

Claimed By: 



SSN: 1 

1 

b6 

Name : 

1 1 

b7C 

Squad : 

11 


Number : 1 



Type : CIP 

ITU: CIP 

Claimed By: 

SUBJECT IDENTIFIED 


SSN: 

1 

b6 

Name : 

1 

b7C 

Squad : 

11 


Number : 1 



Type: CIP 

ITU: CIP 

Claimed By: 

SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 


SSN: 


b6 

Name : 

1 1 

b7C 

.Squad : 

11 


Number : 1 

Type: CIP 

ITU: CIP 

Claimed By: 

VICTIM CONTACTED/ INTERVIEWED 


SSN: 1 

1 

b6 

Name : 

1 1 

b7C 

Squad: 

11 

1 


♦♦ 


UNCLASS I FIED//rCIR OFFICIAL UCE OITEY 


3 



ir- • 


i^LL mwcmmTim cdraimo 

IliBllilllll^^^^^ 


(Rev. 05^01-2008)* 


UNCLASSIFIED// n: ii r~g i I'l UliLL U Uij O^li^ 

FEDERAL BUREAU OF INVESTIGATION 


Precedence; ROUTINE Date; 06/04/2012 

To; Jacksonville 


From; Jacksonville 
11 

Contact; SA [ 


Approved By; 


Drafted By; [ 


Case ID #; 288A- JK-53354 (Pending) 

Title; UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - 


9-0 

VICTIM 


Synopsis; To document 


Details; (U //FOUO)- On 5/ 30/2012 Writer received two (2) shipments 
of evidence | | relating to the above investigation. The 

two (2) shipments contained the following which were placed in 
evidence on 5/30/2012: 


b6 

b7C 


b7E 


b7D 


Tt^m DPHrvin^-ion 


UNCLASSIFIED//ri:ili'. l.lMi M,' I ii'ih II' li 


b6 

b7C 



UNCEASSIFIED//;EQB::DFFI€$ft3Br^BFSE-^Ii 


To: Jacksonville From: Jacksonville 

Re: 288A-JK-53354, 06/04/2012 


(U/ T ^OUO j - CART made copies of the above media [ 


♦♦ 


UNCLASSIFIED/ZFuIL OiiiUiAL ULiL UHlI 




File No. 163L-BO-893; 288A-JK-53354 


MU l li 

Millllfc-aiMili l^MI lllll^^^ 

Embassy of the United States of America 

Office of Legal Attache 
Bucharest, Romania 


6 June 2012 


b7D 


RE: Anonymous Romania 
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By: SA I ~ 

Assistant Legal Attach^ 
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Precedence : ROUTINE 

To; Jacksonville 

From: Jacksonville 
11 

Contact ; SA 


Approved By: 
Drafted By: 


Case ID #: 288A- JK-53354 (Pending) 


Date; 06/14/2012 





Title: UNSUB (S) ; 

LAKE COUNTY SHERIFF'S OFFICE - VICTIM 

Synopsis ; To document the receipt of a report ( | 

I I of data for the above referenced case for the period 

6/4/2012 - 6/8/2012. 

Details: (U/7E*OueOL Writer received the following report from the 
first part of the data analysis of the Lake County Sh eriff's 
Office data I L 
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Precedence : 
To : Cyber 


ROUTINE 


Date: 06/26/2012 


Attn: CCUl, SA\~ 

CCU 2, ssaT 
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Prom: 


Jacksonville 

International Operations 

; Bucharest 

Contact : ALAT I 


Attn: 

Attn: 


SSAj 
SA 
SA 
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Eurasia Unit, SSA C 
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Case ID #: 163L-BO-893 

288A-jK-53354 

Title: ANONYMOUS ROMANIA 

Synopsis: (//ROU df 


7^ 

(Pending)'' / 
(Pending) 


Anonymous Romania. 


Derived 
Decla 


] regarding memoers ot 
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Itx^e Sources 
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To: Cyber From: Bucharest 
Re: 163'L-BO-893, 06/26/2012 


LEM>(s) : 

Set Lead 1: (Info) 

CYBER 

AT CCU-1. DC 
Read and clear. 

Set Lead 2: (Info) 

% 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 

Set Lead 3: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read and clear. 


♦♦ 
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To: Cyber Fr’om: Bucharest 

Re: 163L-BO-893, 06/27/2012 


LEM)(s) : 

Set Lead 1 : (Action) 

CYBER’ 


AT PITTSBURGH. PA. CIRFU 

Conduct searches of relevant datasets and 
provide any information on the channels #OpRoraania and 
#tangodown. Also, provide any information on planned attacks on 
Romania due to the recent arrests of Anonymous Romania members if 
encountered. 

Set Lead 2 : (Info) 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 


Set Lead 3: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT, DC 
Read and clear. 
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Precedence : 
To: Cyber 


ROUTINE 


Date: 06/25/2012 


Attn; 


CCUl, SA 
CCU2, SSA 
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Jacksonville 

Attn: SAI 



Shi 


International Operations 

Attn: Eurasia Unit, SSA 
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From: Bucharest 
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Title: ANONYMOUS ROMANIA • 

Synopsis: Provide details of arrest and case update. 
Details: On 5/29/2012 I 


] The prosecutor placed 


b6 

b7C 

b7D 


two of 'the subjects under arrest including the primary suspect 
implicated in the Lake County Sheriff's Office (LCSO) computer 
intrusion, L =3 The Other person 


arrested was 
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Although Legat Bucharest would have liked to work 
towards I I extradition to the United States to face 


prosecution, due to the extradition treaty between Romania and 
the United States (US) , he cannot be extradited Until all legal 
proceedings in Romania, including the prison sentence, are 
complete. Once judicial authority has been requested in a 
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UNCLASSIFIED 
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To;: Cyber From: Bucharest 
Re: 163L-BO-893, 06/25/2012 



Romanian investigation, such as a search warrant, the, police are 
unable to pass the case to another jurisdiction for prosecution. 
Additionally, because Romania charged the LCSO in their 
indictment, extradition proceedings would face a more fundamental 
double- jeopardy issue in both the US and Romania. 
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To: Cyber From: Bucharest 
Re: 163L-BO-893, 06/25/2012 

LEAD(s) : 

Set Lead 1: (Info) 

CYBER 

AT CCU-1. DC 
Read and clear. 

Set Lead 2: (Info) 

JACKSONVILLE 

AT JACKSONVILLE. FL 
Read and clear. 

Set Lead 3: (Info) 

INTERNATIONAL OPERATIONS 

AT EURASIA UNIT. DC 
Read and clear. 


♦♦ 


UNCLASSIFIED 


